Apache Axis2/c SSL/TLS Hostname validation

2013.01.13
Credit: Seth Arnold
Risk: High
Local: No
Remote: Yes
CWE: CWE-310


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

In November, I asked if a CVE had been assigned to Axis2/C for failing to check hostnames when validating SSL/TLS certificates: http://www.openwall.com/lists/oss-security/2012/11/07/1 This was part of the fallout from this paper: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf I was not confident enough in my reading of the source code to say that Axis2/C was vulnerable, so I did not pursue the issue at the time. Since then, I have re-read the code, emailed three developers privately, emailed the axis-c-dev mail list, and filed a JIRA bug report. None of these communications have received any kind of response. https://issues.apache.org/jira/browse/AXIS2C-1619 http://mail-archives.apache.org/mod_mbox/axis-c-dev/201301.mbox/browser Please assign a CVE for Axis2/C for failing to validate hostnames when checking SSL certificates.

References:

http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
https://issues.apache.org/jira/browse/AXIS2C-1619
http://mail-archives.apache.org/mod_mbox/axis-c-dev/201301.mbox/browser


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top